private List <GenericAce> GetCustomizedAces(RawSecurityDescriptor rsd) { List <GenericAce> list = new List <GenericAce>(); foreach (GenericAce genericAce in rsd.DiscretionaryAcl) { if (!genericAce.IsInherited) { SecurityIdentifier sidFromAce = TenantRelocationSecurityDescriptorHandler.GetSidFromAce(genericAce); if (!(sidFromAce == null)) { if (this.IsKnownGlobalPrincipal(sidFromAce)) { ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "GetCustomizedAces: wellknown SID skipped {0}.", sidFromAce.ToString()); } else { ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "GetCustomizedAces: customized SID found {0}.", sidFromAce.ToString()); list.Add(genericAce); } } } } return(list); }
public void ProcessSecurityDescriptor(ADObjectId sourceId, ADObjectId targetId, bool forceResetTargetSD) { ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "ProcessSecurityDescriptor: process object {0}.", sourceId.DistinguishedName); RawSecurityDescriptor rsd = TenantRelocationSecurityDescriptorHandler.ReadSecurityDescriptorWrapper(this.sourceSession, sourceId, sourceId.IsDescendantOf(this.sourceConfigNC)); List <GenericAce> customizedAces = this.GetCustomizedAces(rsd); if (!forceResetTargetSD && customizedAces.Count == 0) { ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "ProcessSecurityDescriptor: no customized ACEs found on source found {0}, skip update.", sourceId.DistinguishedName); return; } bool useConfigNC = targetId.IsDescendantOf(this.targetConfigNC); RawSecurityDescriptor targetSd = TenantRelocationSecurityDescriptorHandler.ReadSecurityDescriptorWrapper(this.targetSession, targetId, useConfigNC); RawSecurityDescriptor sd = this.ApplyAcesToTargetSecurityDescriptor(targetSd, customizedAces); bool useConfigNC2 = this.targetSession.UseConfigNC; this.targetSession.UseConfigNC = useConfigNC; try { this.targetSession.SaveSecurityDescriptor(targetId, sd); } finally { this.targetSession.UseConfigNC = useConfigNC2; } ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "ProcessSecurityDescriptor: process done object {0}.", sourceId.DistinguishedName); }
private RawSecurityDescriptor ApplyAcesToTargetSecurityDescriptor(RawSecurityDescriptor targetSd, List <GenericAce> sourceAces) { List <GenericAce> list = new List <GenericAce>(); foreach (GenericAce genericAce in targetSd.DiscretionaryAcl) { SecurityIdentifier sidFromAce = TenantRelocationSecurityDescriptorHandler.GetSidFromAce(genericAce); if (!(sidFromAce == null)) { SecurityIdentifier accountDomainSid = sidFromAce.AccountDomainSid; if (sidFromAce.IsAccountSid() && !accountDomainSid.Equals(this.targetDomainSid)) { ExTraceGlobals.TenantRelocationTracer.TraceDebug <string>((long)this.GetHashCode(), "ApplyAcesToTargetSecurityDescriptor: customized SID found {0} on target object, removed.", sidFromAce.ToString()); } else { list.Add(genericAce); } } } RawAcl rawAcl = new RawAcl(targetSd.DiscretionaryAcl.Revision, list.Count + sourceAces.Count); int num = 0; foreach (GenericAce ace in list) { rawAcl.InsertAce(num++, ace); } foreach (GenericAce ace2 in sourceAces) { rawAcl.InsertAce(num++, ace2); } targetSd.DiscretionaryAcl = rawAcl; return(targetSd); }
private bool IsKnownGlobalPrincipal(SecurityIdentifier sid) { int ridFromSecurityIdentifier = TenantRelocationSecurityDescriptorHandler.GetRidFromSecurityIdentifier(sid); return(ridFromSecurityIdentifier <= 1000 || this.wellKnownExchangeSecurityPrincipals.Contains(sid)); }